We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.

Ok, I Agree

WordPress Plugin 4.5.2 data Vulnerability Issue

Home Forums Bug Reports and Feature Requests WordPress Plugin 4.5.2 data Vulnerability Issue

Tagged: 

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • 2024-01-04 at 1:00 pm #69489
    PLAN8
    Customer

    Hi,

    I have just become aware of a potential severe vulnerability issue with the Verge3D WordPress plugin V 4.5.2 – The details can be read here …

    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/verge3d/verge3d-452-authenticatedsubscriber-arbitrary-file-upload

    “The Verge3D Publishing and E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘v3d_upload_app_file’ function in all versions up to, and including, 4.5.2. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.”

    Thanks.

    • This topic was modified 4 months ago by PLAN8. Reason: link not visible
    2024-01-04 at 1:14 pm #69491
    PLAN8
    Customer

    This flags up my previous repeated requests for the V3D export locally option to ONLY export the essential required HTML app files and none of the V3D, Blender and other unused files –

    As a non-coder, the export locally option is very un “Artist Friendly”, as there is no clear explanation as to which files are required for the HTML app only – it is not an easy task at all to go through the exported files and try and work out what are the actual HTML app files, and what are the puzzle files and blender files etc –

    PLEASE can you make the export locally option respect the option that is made checkable in the app manager “general settings”? I really don’t understand why this hasn’t been done – it makes no sense at all, and now with this vulnerability issue, it would help resolve this if the upload app manager in WordPress was only uploading a known set of file types because the exported app locally only contains the required files for a website. If that makes sense?

    Attachments:
    You must be logged in to view attached files.
    2024-01-04 at 1:19 pm #69493
    PLAN8
    Customer

    My non coder suggestion for an immediate fix to the vulnerability issue is that perhaps the wordpress app will only accept the required files for now, if the user wants to upload any extra file types, then perhaps the app could have a text entry box where the user can specify allowed file types to be uploaded above the basic required types.

    Looking ahead, being able to export ONLY the HTML app files from the app manager (or to make a clear folder distinction between front end and back end files (IE the V3D app is stored in a totally separate folder from the working files)) is essential IMHO

    2024-01-04 at 4:21 pm #69495
    xeon
    Customer

    Thank you for bringing this up to all users that use this plug-in are now aware.

    Verge3d adoption has its challenges due to the economic political landscape we don’t need any other reasons for clients to think negatively.

    I hope this gets resolved quickly.

    Xeon
    Route 66 Digital
    Interactive Solutions - https://www.r66d.com
    Tutorials - https://www.xeons3dlab.com

    2024-01-05 at 2:04 am #69497
    kdv
    Participant

    Disable REST API for this add-on, upload Verge3D apps via FTP.

    Puzzles and JS. Fast and expensive.

    If you don’t see the meaning in something it primarily means that you just don’t see it but not the absence of meaning at all.

    2024-01-05 at 5:37 am #69498
    Yuri Kovelenov
    Staff

    We’ll look into this ASAP. :scratch:

    Chief 3D Verger | LinkedIn | Twitter

    2024-01-05 at 12:51 pm #69500
    PLAN8
    Customer

    Thanks Yuri

    2024-01-05 at 12:51 pm #69501
    PLAN8
    Customer

    :good:

    2024-01-08 at 11:13 am #69535
    Alexander Kovelenov
    Staff

    Hi,

    We did some investigation and have some updates.

    This looks scary on the first site, but in reality only privileged users can exploit this vulnerability (such as admins and sales staff).

    I guess the guys who opened this issue just used some tool to scan the plugin code and posted the results.

    Anyway, we are working to get rid of this issue altogether!

    Soft8Soft Tech Chief
    X | FB | LinkedIn

    2024-01-08 at 11:25 am #69536
    PLAN8
    Customer
    Alexander Kovelenov wrote:

    Hi,

    We did some investigation and have some updates.

    This looks scary on the first site, but in reality only privileged users can exploit this vulnerability (such as admins and sales staff).

    I guess the guys who opened this issue just used some tool to scan the plugin code and posted the results.

    Anyway, we are working to get rid of this issue altogether!

    Hi Alexander, Thanks for the update. Yes, that’s actually how I interpreted the threat as well, and for me, as a sole admin, that wouldn’t really be a problem, but I guess for sites with multiple users, this could be alarming.

    However, as per my follow up messages after the OP, I still do think this highlights the absolutely essential requirement for V3D app manager to have the ability to locally export a “clean” set of application only required files (without any non application specific files), so that the average user like myself can feel confident they are only uploading the required web app files and nothing else – this really is a super critical change as far as I am concerned.

    Thanks for updating!

    • This reply was modified 3 months, 3 weeks ago by PLAN8.
    2024-01-09 at 6:36 am #69550
    Alexander Kovelenov
    Staff
    PLAN8 wrote:

    However, as per my follow up messages after the OP, I still do think this highlights the absolutely essential requirement for V3D app manager to have the ability to locally export a “clean” set of application only required files (without any non application specific files)

    We’ll definitely look at this also!

    Soft8Soft Tech Chief
    X | FB | LinkedIn

    2024-01-09 at 10:57 am #69564
    PLAN8
    Customer
    Alexander Kovelenov wrote:
    PLAN8 wrote:

    However, as per my follow up messages after the OP, I still do think this highlights the absolutely essential requirement for V3D app manager to have the ability to locally export a “clean” set of application only required files (without any non application specific files)

    We’ll definitely look at this also!

    :good:

    2024-01-10 at 6:39 am #69578
    Alexander Kovelenov
    Staff

    BTW, we have just released a new version of the plugin which contains the fixes. You should be able to install it already.

    Soft8Soft Tech Chief
    X | FB | LinkedIn

  • Author
    Posts
Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.